Overview

overview

10

Static

static

1

RPO-09876543456.exe

windows7-x64

8

RPO-09876543456.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RPO-09876543456.exe

  • Size

    1.2MB

  • MD5

    87f1444dda3a5714f282d0048944d7b8

  • SHA1

    96fa777c406409208dc186d66588fe2d920c2c07

  • SHA256

    250fbfdaf7c00e15d0d35edba1b28d7dfa2ca28fedbf887fbe4269dee364d066

  • SHA512

    0eaf418b96dce98d7234490cc902d2d4e1a80b82a0fcdfd94ff1b79b68f4fb4d0ab0e3a2d2fa743b02d14347a5a4bd4b316763905e37a276ce42aca03beed555

  • SSDEEP

    24576:e+YAuCcFjoX4LltOOr3C1zC+GGOG4emawVl9Rv:DPc9o473H+GS4XawVr1

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RPO-09876543456.exe
    "C:\Users\Admin\AppData\Local\Temp\RPO-09876543456.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe
      "C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe" "C:\Users\Admin\AppData\Local\Temp\fnbiv.au3"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe
        "C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe" "C:\Users\Admin\AppData\Local\Temp\fnbiv.au3"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dlhsqzxunv.hfi
    Filesize

    55KB

    MD5

    7c871d775d5fe3cb75b658c75e07ea20

    SHA1

    32a2fbf6caa9fe6d7e9f4054dbf5fc6f1a49caf6

    SHA256

    be36d489cdd236b95d4b6cec9b04d5f290997ff4a99df134ecd7f24b2ff75275

    SHA512

    d1882b5ca4efc6802e3f98e154cd2ea7e4750b6f37900b3ae807d9e1ce653f33c02783e97d09dc4fd35cf3d0dc9ed710453f6bddbb78a719dc286dd8d2ddca41

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fnbiv.au3
    Filesize

    5KB

    MD5

    e32a918af0a0d7dfef22102b72ccc289

    SHA1

    5960785cd6e71dea7d5c2ed67243e7d756add22e

    SHA256

    fddb8bf6fd35ebaae071398208ebf1cc23ae881275f9c65faf283ba9cf206564

    SHA512

    0accd8a0c8ed2b7c41916f92e9a79bb5055cf403608a672e75851b4c87ea06d9798b67eab705a53357b8559b75ff8ad3ead54642825be4674cfdf0febd64d888

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fuxvgibrz.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nqeplwpn.vie
    Filesize

    296KB

    MD5

    5f082e0fee917aea20b8ec142381129b

    SHA1

    7b3125e086e73bb3fbc4d2f655ff4d2faf7c27f4

    SHA256

    5647a05c8d0ab007763c3dc1d7b185e530a2f43a2979685d75a6e1ef1f934bb3

    SHA512

    c9bfc40c2c0c31e8f96198868d35f49180889020268802c0a10c65c9148a6df573812087caf2948a72fa94595fa4122db60a96babb301c320b4c230f37cd0887

    Download Submit
  • memory/2144-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2144-140-0x0000000005C10000-0x00000000061B4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2144-141-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/2144-142-0x0000000005510000-0x00000000055AC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2144-143-0x0000000005B60000-0x0000000005BC6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2144-144-0x0000000008170000-0x00000000081C0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2144-145-0x0000000008260000-0x00000000082F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2144-146-0x0000000008310000-0x000000000831A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2176-132-0x0000000000000000-mapping.dmp
    Download